RFR: JDK-8237490: [macos] Add support notarizing jpackage app-image and dmg
Andy Herrick
andy.herrick at oracle.com
Tue Apr 7 12:11:28 UTC 2020
Alexander:
Can I take it your OK with revising these tests in the followup CR ?
/Andy
On 4/4/20 8:53 AM, Andy Herrick wrote:
> I think it best to modify these checks as part of a separate issue,
> and leave these checks disabled as part of JDK-8237490. I have filed
> JDK-8242155 to enhance these tests, including restoring these checks.
>
> /ANdy
>
> On 4/3/2020 7:29 PM, Alexander Matveev wrote:
>> Hi Andy,
>>
>> http://cr.openjdk.java.net/~herrick/8237490/webrev.07/test/jdk/tools/jpackage/macosx/base/SigningBase.java.frames.html
>>
>> Maybe better to check for Catalina case as well, instead of disabling
>> check. We can assume that on Catalina code 3 and not notarized will
>> consider as pass. In case if it fails for some other reasons.
>>
>> Otherwise looks fine.
>>
>> Thanks,
>> Alexander
>>
>> On 4/3/20 7:20 AM, Andy Herrick wrote:
>>> sorry missing webrev pointer [4]
>>>
>>> [4] - http://cr.openjdk.java.net/~herrick/8237490/webrev.07
>>>
>>> /Andy
>>>
>>> On 4/3/2020 9:24 AM, Andy Herrick wrote:
>>>> please review this revised webrev [4] to issue [2]
>>>>
>>>> The previous version generated a signed app that could be
>>>> notarized, but then couldn't run because signing the whole app
>>>> resigned the executable with reduced entitlements.
>>>>
>>>> This revision adds back in the entitlements when signing the whole
>>>> app, as well as fixing the unit test that was failing the spctl
>>>> call on Catalina due to signed app not being notarized.
>>>>
>>>>
>>>> /Andy
>>>>
>>>> On 3/30/2020 1:19 PM, Andy Herrick wrote:
>>>>> revised with minor fixes as per below - webrev at [3]
>>>>>
>>>>> [3] http://cr.openjdk.java.net/~herrick/8237490/webrev.06/
>>>>>
>>>>> /Andy
>>>>>
>>>>> On 3/28/2020 9:43 AM, Andy Herrick wrote:
>>>>>>
>>>>>> On 3/27/2020 5:18 PM, Alexander Matveev wrote:
>>>>>>> Hi Andy,
>>>>>>>
>>>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java.frames.html
>>>>>>>
>>>>>>> Line 819,857,902 - Looks like temp debug log message. Remove it
>>>>>>> or align with rest of code.
>>>>>> I will fix this.
>>>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties.frames.html
>>>>>>>
>>>>>>> Line 70 - Capital F.
>>>>>> and this
>>>>>>>
>>>>>>> Since we added "--timestamp" and "--options runtime" to
>>>>>>> codesign, will it work with older Xcode and macOS we planning to
>>>>>>> support?
>>>>>> not sure - may need some discussion of what we support and
>>>>>> possible conditional code here.
>>>>>>>
>>>>>>> Do we need any adjustments to signing tests we have?
>>>>>>
>>>>>> The existing tests pass, but this is not unexpected (and really
>>>>>> means nothing) since the signing tests are all skipped unless
>>>>>> specific test certs are installed on target machine.
>>>>>>
>>>>>> We need further discussion how one is expected to provision a
>>>>>> machine to run these tests.
>>>>>>
>>>>>> /Andy
>>>>>>
>>>>>>>
>>>>>>> Otherwise looks fine.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Alexander
>>>>>>>
>>>>>>> On 3/27/20 12:35 PM, Andy Herrick wrote:
>>>>>>>> Please review the fix to issue [1] at [2].
>>>>>>>>
>>>>>>>> This change enables notarization on Mac for dmg images and
>>>>>>>> app-image zip files.
>>>>>>>>
>>>>>>>> /Andy
>>>>>>>>
>>>>>>>> [1]: https://bugs.openjdk.java.net/browse/JDK-8237490
>>>>>>>>
>>>>>>>> [2]: http://cr.openjdk.java.net/~herrick/8237490
>>>>>>>>
>>>>>>>
>>
More information about the core-libs-dev
mailing list